Overview

overview

10

Static

static

b211613668...4f.exe

windows7_x64

10

b211613668...4f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe

  • Size

    340KB

  • MD5

    c73cff9e8afd69413185adb5b1ee319b

  • SHA1

    fd0a136d08ede4cb79258252c423de43e1e6f961

  • SHA256

    b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

  • SHA512

    cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Score
10/10
phorphiexevasionloaderpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://193.32.161.73/

Wallets

1Bn4JYKoVgQpZ73doWVFSNZBbwKj3cpJNR

qqsagteh4m6qunmgrrknulafzcdlmzn35yeggvq8qk

Xt8ZtCcG9BFoc7NfUNBVnxcTvYT4mmzh5i

D7otx94yAiXMUuuff23v8PAYH5XpkdQ89M

0x05F916216CC4BA6ac89b8093d474E2a1e6121c63

LUMrZN6GTetcrXtzMmRayLpRN9JrCNcTe7

t1PVHo3JR9ZAxMxRXgTziGBeDwfb5Gwm64z

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Phorphiex payload 2 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
    "C:\Users\Admin\AppData\Local\Temp\b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4224
    • C:\Windows\32782278\sysqfgl.exe
      C:\Windows\32782278\sysqfgl.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2100
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1592
        3⤵
        • Program crash
        PID:1196
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2100 -ip 2100
    1⤵
      PID:4564

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    4
    T1112

    Disabling Security Tools

    3
    T1089

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\32782278\sysqfgl.exe
      Filesize

      340KB

      MD5

      c73cff9e8afd69413185adb5b1ee319b

      SHA1

      fd0a136d08ede4cb79258252c423de43e1e6f961

      SHA256

      b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

      SHA512

      cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

      Download Submit
    • C:\Windows\32782278\sysqfgl.exe
      Filesize

      340KB

      MD5

      c73cff9e8afd69413185adb5b1ee319b

      SHA1

      fd0a136d08ede4cb79258252c423de43e1e6f961

      SHA256

      b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

      SHA512

      cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

      Download Submit
    • memory/2100-137-0x0000000000000000-mapping.dmp
      Download
    • memory/2100-140-0x0000000000400000-0x0000000000459000-memory.dmp
      Filesize

      356KB

      Download
    • memory/2100-141-0x00000000024A0000-0x00000000024AD000-memory.dmp
      Filesize

      52KB

      Download
    • memory/2100-146-0x0000000000400000-0x0000000000459000-memory.dmp
      Filesize

      356KB

      Download
    • memory/4224-130-0x0000000000400000-0x0000000000459000-memory.dmp
      Filesize

      356KB

      Download
    • memory/4224-131-0x0000000000400000-0x0000000000459000-memory.dmp
      Filesize

      356KB

      Download
    • memory/4224-132-0x0000000002490000-0x000000000249D000-memory.dmp
      Filesize

      52KB

      Download